Facsimile (fax) use is not
considered an "electronic transmission" under HIPAA, and so
is not addressed by the its security regulations.

(Telephone
voice response or "faxback" systems -- a request for information
made via voice/keystroke input using a fax machine, with requested information
returned via that same machine as a fax -- are also excluded from the
definition of electronic transmission.)

Those privacy regulations do
not address facsimile transmission directly. But common sense interpretation
dictates many of the components of any "faxing policy" under
HIPAA. Faxes of PHI should:

be sent only to known locations,
where the physical security and monitoring practices of the receiving
fax machine are known;

rely on preprogrammed (and
tested) fax numbers set on the sending machine, to reduce dialing errors;

not be sent to unattended
fax machines, or where the physical security of the receiving system
is unknown;

include a "confidentiality
request" that information sent to an incorrect destination be destroyed,
and requesting notification to the sender of such errors;

come from a sending fax
machine that is itself physically secure and appropriately monitored.

Though commonly denigrated
as a "transitional" technology (that is, soon to be replaced),
fax transmission is likely to remain an important communications mechanism
for some time. Attention to fax security thus remains very important.